Risk - GRC - Process Workshop Presentation - Paris

Governance, Risk and Compliance
(GRC)
Process Implementation Workshop
Speaker Name
Date
• Ref: 0001575
Implementation Guiding Principles
• Use out-of-the-box (OOB) Best Practice as the Baseline

• Focus on configuration, not customization
• Challenge current practice
• Don’t break current business; look for opportunities
• Eliminate pain points
• Be lean, be Agile – embrace change!
2 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Objectives, Goals, Outcomes
• <Review and confirm primary business objectives and known requirements>

• <Objective #1>
• <Objective #2>
• <Objective #3>
• <Objective #4>
• <Objective #5>

ServiceNow Team
•<Process Consultant Name> – Role: Facilitator/Process SME
•<Technical Consultant / Architect Name> – Role: Product Technical Leader & SME
•<Project Manager Name> – Role: Project Implementation SME and Scribe

Introductions
Name Experience Role Expectations

Expectations of Participants
• Workshop participants are selected to be champions for the new process – you are the agents for change!
• Make clear decisions on design during the workshop. All requirements will be captured as stories in
ServiceNow.
• Participants represent their respective areas. The Customer’s Audit Management Process Owner
commonly has final power of veto.
• Items not resolved in the time available in the workshop will go on a Parking Lot list for resolution post
workshop. All Parking Lot items, and their agreed solutions will be documented in ServiceNow.

Workshop Deliverables
Workshop Outcomes:
• Definition of the Audit Management processes
• High level architecture of the solution (including any integrations)
• Process workflow definition to be used within the ServiceNow Platform
• Development Lifecycle strategy for the project
• Defined Requirements that can be loaded into User Stories
• “Parking Lot” list of post workshop activities
Workshop Exclusions:
• Detailed training on how to use the ServiceNow Platform
• Creation/Modification of forms, reports, workflows, or other ServiceNow application components during
the workshop (except for demos)

Housekeeping
• Start and finish on time
• Breaks will be taken as needed; approximately every two
hours
• Return from breaks and lunch promptly; if late, catch up
during breaks or after Workshop
• Points needing greater detail will be recorded in a “Parking
Lot” for later resolution
• All phones on vibrate; please leave the room if you must take
a call
• Avoid temptation to check Email; please keep laptops closed
unless taking notes or working on something for this
Workshop
• Active participation and listening
• Silence = Concurrence with point made
• Everyone’s ideas are valued

Day 1- Policy and Compliance Agenda
Date Session Time Date Session Time
Processes Definition
Welcome: • Policy, Control and Policy Exception processes
• Welcome and Meeting Cadence and notifications
0.5hr 2hrs
• Introductions • Continuous monitoring, integration
• Workshop Overview • Attestations
• Entity Architecture
High level overview and discussion of the

Business Requirements Roles and Responsibilities
• Understand the Policy and Compliance current and future 1.5hr • Compliance Admin, Compliance Manager, 1hr
state Compliance User
• Review the pre-workshop data gathering sheet
• Understand need for integration / data uploads
Policy and Compliance Management

Structure and Architecture 2hrs Reporting and Analytics 0.5hr
• Controls, Authority Document, Citations, Policies, Policy • Base Dashboards and Reports
Acknowledgement
Requirements Review
• Run through of users stories documented to
Break 1hr date 0.5hr
Next Steps

Day 2-Risk Management Agenda
Recap – Day 1 0.5 hr Break 1hr

Business Requirements related to Risk 1.5 hrs Risk Roles and Responsibilities 1hr
• Risk Management current and future state
Requirements Review
• Run through draft user stories
Risk Management Structure and Architecture 1hr documented on Day 2 1hr
Next Steps
Risk Response and Scoring 1hr

Day 3-Advanced Risk Management Agenda
Advanced Risk Assessments

• ARA Methodologies
Recap – Day 3 0.5hr • Factors 2hrs
• ARA Scope
• Ara workflow
• ARA tasks
Advanced Risk feature demo 0.5hr Risk Roles and Responsibilities 0.5hr
Risk Events
• Risk Events, Risk Event State flow, Risk Event
Response Template
• Risk Event catalog item 2hrs Advanced Risk Dashboards 0.5hr
• Risk Event integration
Requirements Review
• Run through draft user stories
Break 0.75hr documented on Day 2 0.5hr
Next Steps

Day 4 - Audit Management Agenda
Recap – Day 2 0.5hr Break 1hr

Business Requirements related to Audit 1hr Roles and Responsibilities 1hr
• Understand [Customer] Audit Management current
and future state
Reporting and Analytics

Feature Demo (overview) 1hr • Reports, Dashboards, PA widget, notifications, 1hr
• Audit Management Process and Architecture
escalations
Requirements Review
Audit Management Structure • Run through of user stories documented on Day
• Engagements, Test templates, Audit Tasks, Test 1.5hr 3 1hr
templates, Control tests
Next Steps

Policy & Compliance Architecture

What are Controls?
• A Control is a specific activity performed by people, or systems designed, to ensure that business
objectives are met.
Specific ACTIVITIES
Performed by People or SYSTEMS
Designed to ENSURE
Business OBJECTIVES ARE MET

Control Selection
Many companies treat each regulation or framework as an
independent set of controls, which leads to:
• Multiple Audits
• Redundant tests
• Repetitive evidence gathering
Organizations are spending thousands of man-hours and hundreds

of thousands of dollars in excess audit fees each year!
The Solution
A consolidated list of controls that maps to all of your regulatory
and operational requirements. This is accomplished via the IT UCF
which is available in Fuji. This allows for “test once, comply
many.”
UCF = Unified Compliance Framework

Effective Control Design
IT Service Management
Incident Management Change Management
Priority End User Back Out

Testing
Calculation Validation Plans

Authority Document
Authority Documents are the statutes, frameworks, standards, and best practices that an organization chooses or are
required for compliance with regulations. Authoritative Documents are the top of the compliance hierarchy in
ServiceNow.

Authority Document
• Name • Type
• Common Name – Audit guideline
• Source – Best practice
• Category – Bill or act
– Contractual Obligation
• Version
– International or National Standard
• Valid from
– Not set
• Valid to – Organization directive
• Description – Regulation or Statute
• URL – Safe Harbor
– Self- Regulatory Body Requirement
– Vendor Documentation

Citations
• In ServiceNow, Citation records are the specific requirements cited by an Authoritative Document.
• The Citation record is what connects the Authoritative Document to its applicable control(s).

Citation
• Name • Type
• Reference – Control Objective
• Source – Control
• Source ID – Supporting Information
– Process
• Parent
– Core Topic
• Description
• Authoritative Document

Policies
• ServiceNow GRC enables the management and storage of policies.

Policy Management Process
Awaiting
Draft Review Published Retired
Approval

Policies
• Name • Owning group
• State • Owner
– Draft • Valid from
– Review • Valid to
– Awaiting approval • Approvers
– Published
• Reviewers
– Retired
• Description
• Type
• Policy text
– Policy
– Procedure • Knowledge base
– Standard • Article template
– Plan • KB article
– Checklist
– Framework
– Template

Policy Acknowledgement campaigns


1. Setup Acknowledgement Campaign
Policy and Compliance Policy and Compliance
Policy Acknowledgment
Acknowledgment Setup
Campaign
Policy, Policy Owner,
Audience, Reference
Material URL
Reference Decline?/
Audience Request
Policy and Policy Valid from and Response Audience &
Material URL Create Owner Valid to expected by Reference
Exception? Acknowledgment Material URL
Campaign
Policy exception campaign has valid from

Policy Acknowledgment setup
and valid to dates and ‘Response expected
on policy which applies to all
by’ days are set for employees to reply
the campaign created for that
back by
policy

2. Send Acknowledgement tasks to audience
Policy and Compliance Policy and Compliance
Policy Acknowledgment
Acknowledgments
Campaign
Policy, Reference
Material URL, Due Date
Status:
Policy and Policy Valid from and Response Audience & Reference Accepted
Send Policy Due Date
Owner Valid to expected by Reference Material URL: Declined
Acknowledgments Exception-
Material URL Requested
Exempted
Policy Acknowledgment Acknowledgments are created for a given

Campaign is set up for campaign and have a due date on them by
duration of time and all the when the responses are expected from the
acknowledgments sent out are employees. The responses are captures and
valid for that duration. are presented on the campaign

Policy acknowledgements response

Policy acknowledgements response

Control Objectives

Control Objectives
• Name • Description
• Source • Attestation
• Source ID • Classification
• Reference – Preventative
• Policy – Corrective
• Parent – Detective
– IT Impact Zone

Control Objectives
Type
• Acquisition/Sale of Assets or Services • Investigate

• Actionable Reports or Measurements • IT Impact Zone
• Audits and Risk Management • Log Management
• Behavior • Maintenance
• Business Processes • Monitor and Evaluate Occurrences
• Communicate • Physical and Environmental Protection
• Configuration • Process or Activity
• Data and Information Management • Records Management
• Duplicate • Systems Continuity
• Establish Roles • Systems Design, Build, and Implementation
• Establish/Maintain Documentation • Technical Security
• Human Resources Management • Testing
• Training

Control Objectives
Category
• Acquisition or sale of facilities, technology and • Records management

services • System hardening through configuration
• Audits and Risk Management management
• Compliance and Governance Manual of Style • Systems continuity
• Human Resources management • Systems design, build, and implementation
• Leadership and high level objectives • Technical security
• Operational management • Third party and supply chain oversight
• Physical and environmental protection • Root
• Privacy protection for information and data • Deprecated

Policy Hierarchy
• Provides customers the ability to define a hierarchy of policies, control objectives, procedures, plans,
standards, etc. to help define, measure and attain their business, operational and IT objectives
• The new hierarchical structure allows control objectives to be related to more than one policy
• Enables calculation and roll-up of compliance scores across a hierarchy of policies

Policy Hierarchy
• Example
– Company IT security policy
• AMS IT security policy
• EMEA IT security policy
• APAC IT security policy
• If required, associate a control objective to multiple policies
• Calculate compliance scores across the hierarchy of policies and roll it up to the parent level policy

Policy Exception Management
• Provides temporary relief for control owners unable to meet compliance requirements due to
extraordinary situations
– e.g. inability to meet a control objective/control that stipulates that all critical servers OS’ be patched within 48 hours after OS
vendor releases patches as some servers are off-line for a limited period of time
• Allows exceptions to be requested for a specific Policy, Control Objectives (controls) and Issues
– Request exceptions from the GRC application (GRC users)
– Request exceptions from the GRC service catalog (non-GRC users)
• Helps Compliance and Risk Managers to assess risk from potentially granting an exception prior to
approving one
• Also provides a logical link to risk handling/treatment (Accept/Mitigate/Reject) as part of the exception
process
• Can be leveraged from within other applications (Vulnerability Response)

Policy Exception Management
• A policy exception can be requested for a policy, a control objective, an issue or a combination of the
three. A selection of controls is mandatory except if the policy exception is requested for a policy or a
Vendor Risk Management issue.
Policy
Policy Exception Control Objective
Policy, Control
Controls Issue Objective and issue are
related

Policy Exception Management Workflow
• A policy exception request follows a workflow which differs if the GRC: Risk Management plugin is
installed or not.
Risk Management plugin not installed
Compliance Manager role is

mandatory to request an
Request approval, Approve or Reject
Policy Exception Policy Exception
Business Owner
Request Review
approval
Any user can request a Request

Request more Approved
policy exception extension
information
Reject/Closed

Policy Exception Management Workflow
• A policy exception request follows a workflow which differs if the GRC: Risk Management plugin is
installed or not.
Risk Management plugin installed
Request Risk Policy Exception

Policy Exception Policy Exception Assessment Review
Request Analyze
Request
Business Owner
approval
Request more
information Request
Approved
extension
Reject/Closed

Policy Exception Management Notifications
Name When is it send Recipients Description
Notify requester When the policy exception Requester and watch Inform the requester and users in the
rejected state moves to Rejected list users watch list the policy exception request
has been rejected
Request When a extension is Approver and watch list Inform the approver and users in the
Extension(approver) requested users watch list an extension has been
requested
Notify watchlist new When a comment is added in Watch list users Inform the users in the watch list a
content the activity field comment has been added
Policy exception When a policy exception is Requester and the Inform the requester and the approver
closed closed approver the policy exception has been closed
Notify approver for When a policy exception Approver Inform the approver the policy
review state moves to review exception moved to review state

Notify requester When the policy exception Requester and watch Inform the requester and users in the
approved state moves to Approved list users watch list the policy exception request
has been approved
Notify requester When a policy exception Requester and the Inform the requester and the watch list
extension approved extension request is watch list users users the policy exception extension
approved request has been approved
Notify requester When a policy exception Requester and the Inform the requester and the watch list
extension rejected extension request is rejected watch list users users the policy exception extension
request has been rejected
Notify to policy When a policy exception Approval group Inform the approval group members a
exception assign approval is requested, or the members policy exception approval is requested
group approval group changes by one of the approval group member

Exception period When the time passed the 80 Requester, requester’s Inform the requester, his manager and
passed 80 percent % threshold between “Valid manager and watch list the watch list users the active policy
from” and “Valid to” users exception reached a threshold where
an extension can be requested if
necessary
Notify requester When a compliance manager Requester and watch Inform the requester and watch list
more info needed or the approver request more list users users more information is needed to
information approve or reject the policy exception
Notify watchlist for When a compliance manager Watch list users Inform the watch list users a business
BU approval or the approver request a owner will have to approve or reject
business owner approval the policy exception
Requester provided When the requester send Approver and watch list Inform the approver and watch list
more information back the information users users the requester has provided some
42
information © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
Controls
• Controls are the actual control activities that are to be performed by your organization. Control records
include basic required information about the control (e.g., control owner, control activity, frequency,
etc.).

Control Management Process
Draft Attest Review Monitor Retired

Controls
• Name • Frequency • Status

• Entity – Event driven – Compliant
• Control Objective – Daily – Not Compliant
• Owning group – Weekly – Not Applicable
– Monthly
• Owner
– Quarterly
• Key control • State
– Semi-annual
• Weighting – Draft
– Annually
• Description – Attest
• – Review
Additional Information
• Classification – Monitor
• Enforcement
– Preventative – Retired
– Mandatory
– Corrective
– Voluntary
– Detective
– IT Impact Zone

Controls
Type
• Acquisition/Sale of Assets or Services • IT Impact Zone

• Actionable Reports or Measurements • Log Management
• Audits and Risk Management • Maintenance
• Behavior • Monitor and Evaluate Occurrences
• Business Processes • Physical and Environmental Protection
• Communicate • Process or Activity
• Configuration • Records Management
• Data and Information Management • Systems Continuity
• Duplicate • Systems Design, Build, and Implementation
• Establish Roles • Technical Security
• Establish/Maintain Documentation • Testing
• Human Resources Management • Training
• Investigate

Controls
Category
• Acquisition or sale of facilities, technology and • Records management

services • System hardening through configuration
• Audits and risk management management
• Compliance and Governance Manual of Style • Systems continuity
• Human Resources management • Systems design, build, and implementation
• Leadership and high level objectives • Technical security
• Operational management • Third party and supply chain oversight
• Physical and environmental protection • Root
• Privacy protection for information and data • Deprecated

Continuous Monitoring
• A recurring risk and compliance management process that helps an organization maintain an optimal
security stance based on a sound IT security policy
• Enables customers to continuously monitor, validate compliance and manage risk to:
– Specific IT security policies – e.g. organizational IT security policy
– Industry standards – e.g. PCI, NERC CIP
– Regulations – SOX, HIPAA
– Best practices – CoBIT, NIST 800-53
• Requires the Configuration Compliance plugin

Continuous Monitoring – Use Case
• Define a typical IT GRC policy and control objectives (controls) therein; this will typically include
technical controls, procedural or manual controls, surveys and self-assessments
• Map control objectives that are configuration-related to associated configuration tests in Configuration
Compliance to set up a continuous compliance validation routine
• Assess overall compliance posture to policy by continuously monitoring compliance to technical and
procedural controls; generate issues
• Understand overall effect on risk from policy violations
• Define remediation tasks for issues and drive remediation through GRC and Configuration Compliance
to return non-compliant controls to compliance
• Maintain a continuous monitoring loop to ensure an optimal compliance stance
– Monitor  Assess  Measure  Remediate

Continuous Integration Design
• Configuration compliance and GRC are mapped via control objective and configuration tests
Configuration Compliance GRC
Configuration test Control Objective
Test results Controls
Controls reflect the

test results

Continuous Integration Workflow
Configuration compliance drives the Control compliance

Configuration test Issue is automatically
closed when test
result failure is
Controls
remediated
Test results
Test results update
triggers an event Indicator Issue
Indicator fails when Issue is created when
test result fails indicator fails

Attestations
• Is the control implemented • If yes, Attach evidence
– Yes • Explain
– No
– Not applicable
Note: for phase one look to tailor attestation and create one template

Consolidated Attestations




Entity Architecture

Policy and Compliance Roles
Compliance Compliance
Compliance User
Admin Manager
• Perform everything GRC • Perform everything GRC • Perform everything GRC

Admin, Compliance user can Manager and Compliance
Manager and Compliance • Be assigned to controls user can
user can • Respond to attestations • Create Authority
• Delete Authority • Group attestations Documents and Citations
Documents and Citations • Create Policies
• Delete Policies • Create Control Objectives
• Delete Control Objectives • Create Controls
• Delete Controls
• Access to admin properties

Base Dashboards

Base Dashboards

Base Dashboards

Base Dashboards

Base Dashboards

Base Reports
• Total Control Objectives • Active policy exceptions • Control issues by policy
by policy
• Policy exceptions by • Compliance breakdown
• Control Objectives by control objectives
• Compliance requirements
authority document
• Exempted Controls
• Compliance score by • Policy Ack status
• Control Overview
department • Past Due Acks
• Compliance Score trends • Control Details
• Pending Acks
• Policy Exceptions by • Exempted Controls by
• Decline Acks
entity Entity
• Control Compliance • Exception Requested
• Policy exceptions by
policy • Overall on • Accepted Acks
• Policy exceptions by Compliance(citation) • Policy Ack status by

priority • Compliance policy
breakdown(citation)
Questions?

(GRC)
Day 2 - Risk
Speaker Name
Speaker Title
Risk Management
Risk Management ensures that risks with the potential to negatively impact IT and the Business are identified and
treated.
Key Roles Key Activities

• Audit Committee • Determine Organization’s Risk Appetite
• IT Steering Committee • Develop a Risk Management Policy
• Risk Officers • Develop Risk Assessment & Response
• All Levels of Management Procedures
• Implement Controls
• Measure!

Risk Management
Risk Management Program

Monitoring &
Risk Assessment Risk Response
Reporting
Risk Identification Control Selection Control Design Control Implementation Control Testing &
& Prioritization Remediation
Internal Control Framework

Policies, Standards, Procedures
Organization Structure
Business Strategy & IT Strategy

Risk Assessment
The process through which management identifies and analyzes the threats and vulnerabilities that might
adversely affect realization of the organization’s business objectives.

What is Risk?
Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting
impact of that adverse event on the organization.
Threat Vulnerability Risk
• Malicious Insider • Unsecured entry doors • Physical damage to IT hardware caused

by unauthorized access to the datacenter
• Malicious Outsider • Missing Software Patches results in service outage and data loss.
• Data breach caused by missing software
• Non-Malicious Insider • Location built on floodplain patches results in disclosure of patient
• Equipment Breakdown • Unmaintained HVAC system health information.
• Erroneous journal entries caused by
• High Temperatures • Excessive system privileges inappropriate system privileges results in
• Fire material misstatement of financials.
• Flood/Tsunami
• Windstorm/Tornado
• Power Loss

Risk Assessment Process
A strategic, well planned risk assessment is required for an effective risk management program.
Optimal Business
Sub Optimal
Service
• Starts with Business • No risk assessment at all
Service Assessment • Is not driven by business
IT Service
• Then identifies the criticality
supporting IT Services • Treats all IT Services
• Quantifies what is Application Database Equally
important • Control Framework
• Identifies all of the Server Virtual Server
Checklist
components that make up • Doesn’t identify all of the
the service individual components of a
Physical
• Has meaningful risk Datacenter 1
Server Service
statements • Doesn’t prioritize risk
• Quantifies the Risk Datacenter 2

Risk Response
Applying Controls to Minimize Risk
Monitoring &
Reporting
Risk Identification & Control Selection Control Design Control Implementation Control Testing &
Prioritization Remediation
Policy, Standards, Procedures

Risk Management Architecture

Risk Statements

Risk Statement
• Name • Category
• Framework – Financial
• Issue group rule – Operational
• Description – Reputational
– Legal/Regulatory
• Additional information
– Credit
• Inherent SLE (or Inherent impact)
– Market
• Inherent ARO (or Inherent likelihood) – IT
• Residual SLE (or Residual impact)
• Residual ARO (or Residual likelihood)

Risk

Risk – Scoring and Response Tabs

Risk – Monitoring and Activity Journal Tabs

Risk Management Process
Draft Assess Respond Review Monitor Retired

Risk
• Name • Inherent SLE • Residual ALE

• Owning group – or Inherent impact • Residual score
• Owner • Inherent ARO • Category
• Entity – or Inherent likelihood – Financial
• Description • Residual SLE – Operational
• Additional information – or Residual impact – Reputational
• Residual ARO – Legal/Regulatory
• Statement
– or Residual likelihood – Credit
• State
• Inherent ALE – Market
– Draft
• Inherent score – IT
– Assess
– Respond • Calculated ALE
– Review • Calculated score
– Monitor • Residual SLE
– Retired

Risk Response
• A Process by which a risk that has been determined following a formal risk assessment is dispositioned
or treated
• Can be done as part of an independent risk assessment or as part of a policy exception that may require a
risk assessment followed by a risk acceptance process
• A risk manager will have to figure out what needs to be done to address the risk. Options include:
– Mitigate
– Accept
– Avoid
– Transfer

Risk Response – In Practice
• Risk manager completes a risk assessment and needs a way to handle/treat the risk
• GRC user seeks a policy exception for which a compliance manager refers the exception request for a
formal risk assessment to be followed by a risk acceptance process if required
• The risk determined needs to be dispositioned in one of the following ways
– Mitigate the risk  Action: Deploy mitigating control(s)
– Accept the risk  Action: Business owner understands and signs off on the risk
– Avoid the risk  Action: Reject the risk and deploy measure(s) to avoid risk
– Transfer the risk  Action: Transfer risk to another party or entity

Risk Response Workflow
• A response state has been added to manage the type of response to a risk (Accept, Avoid, Mitigate,
Transfer)
• A risk response process is addressed by response tasks
Risk response task
Risk acceptance Risk owner approval

Risk response
state process
Risk avoidance
Only one response task Risk mitigation

Risk review state
is opened at a time
Risk transfer

Risk Scoring
• Quantitative or qualitative scoring?
• Requirements discussion:
Review next slides on two types of scorings, and decide which one you want to use

Risk Scoring - Quantitative
• Inherent SLE • Calculated Score
• Inherent ARO • Residual SLE
• Inherent ALE • Residual ARO
• Inherent Score • Residual ALE
• Calculated ALE • Residual Score

Risk Scoring - Qualitative
• Inherent impact • Calculated Score
– 5 - Very High • Residual impact
– 4 - High – 5 - Very High
– 3 - Medium – 4 - High
– 2 – Low – 3 - Medium
– 1 – Very Low – 2 – Low
• Inherent likelihood – 1 – Very Low
– 5 - Very High • Residual likelihood
– 4 - High – 5 - Very High
– 3 - Medium – 4 - High
– 2 – Low – 3 - Medium
– 1 – Very Low – 2 – Low
• Inherent ALE – 1 – Very Low
• Inherent Score • Residual ALE
• Calculated ALE • Residual Score

Qualitative Risk Criteria
Risk Score Type Risk Score Maximum Value
Impact 1 – Very Low $1,000,000.00

Impact 2 - Low $5,000,000.00
Impact 3 - Moderate $10,000,000.00
Impact 4 - High $20,000,000.00
Impact 5 – Very High $25,000,000.00
Likelihood 1 – Extremely Unlikely 20%
Likelihood 2 - Unlikely 40%
Likelihood 3 - Neutral 60%
Likelihood 4 - Likely 80%
Likelihood 5– Extremely Likely 100%
Risk Response and Monitoring
• Response • Control compliance
– Accept • Control non-compliance
– Avoid • Control failure factor
– Mitigate • Indicator failure factor
– Transfer
• Calculated risk factor

Base Risk Reports
• Exempted Controls Risks • Risk by Entity
• High Inherent Risk • Risk Exceptions
• High Residual Risk • Risk Issues by Framework (Opened Date)
• Inherent Annual Loss Exposures • Risk PA Indicator Breaches
• Inherent Risk • Risks by Category
• Inherent Risk Heatmap • Risks by Response
• Low Inherent Risk • Total Risk Exposure
• Low Residual Risk • Very High Inherent Risk
• Moderate Inherent Risk • Very High Residual Risk
• Moderate Residual Risk • Very Low Inherent Risk
• Residual Annual Loss Exposures • Very Low Residual Risk
• Residual Risk
• Residual Risk Heatmap

Risk Roles
Risk Admin Risk User Risk Manager
• Perform everything GRC • Perform everything • Perform everything

Admin, Risk Manager and GRC user can GRC Manager and Risk
Risk user can • Be assigned to risk user can
• Delete Risk Frameworks • Create Risk Frameworks
• Delete Risk Statements • Create Risk Statements
• Delete Risk • Create Risks
• Modify admin properties
• Modify risk criteria

Risk Roles
Risk reader
Role title [name] Description Contains roles

• Contains the reader role in sn_grc scope. • sn_grc.reader
• In addition to the inherited permissions,
the risk reader has read-only access rights
to the Risk application and modules and
can be assigned risks.
Risk Reader
[sn_risk.reader]

Risk Roles
Risk user

• Contains the reader and user roles in • sn_grc.reader
sn_grc scope, and the reader role in
the Risk Management application. • sn_grc.user
• In addition to the inherited permissions, • sn_risk.reader

the risk user can view entity types,
entities, risks, and remediation tasks. Inherits the following roles if the GRC: Policy
Risk User and Compliance Management plugin is
[sn_risk.user] • The risk user can be assigned risks and has activated:
read-only access to the Policy and • grc_compliance_reader
Compliance Management application and
modules. • grc_user
• grc_audit_reader
• grc_control_test_reader
• task_editor

Risk Roles
Assessment Creator

• Contains the reader and user • sn_grc.reader
role in sn_risk scope. • sn_grc.user
• In addition to the inherited • sn_grc.manager

permissions, the assessment • sn_risk.reader
Assessment Creator creator can create, update, • sn_risk.user
[sn_risk.asmt_creator] and publish Risk
Inherits the following roles if the GRC: Policy
Assessments. and Compliance Management plugin is
activated:
• task_editor
• certification_admin
• grc_test_definition_admin
• assessment_admin
94 • certification © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
• grc_compliance_reader
Risk Roles
Risk manager

• Contains the reader, user, and manager • sn_grc.reader
roles in sn_grc scope, and the reader and
• sn_grc.user
user roles in the Risk
Management application. • sn_grc.manager
Risk Manager the risk manager can create risk
frameworks, risk statements, and risks. • sn_risk.user
[sn_risk.manager] Inherits the following roles if the GRC: Policy and
Compliance Management plugin is activated:
• task_editor
• certification
• certification_filter_admin
Risk Roles
Risk admin

• Contains the reader, user, manager, and • sn_grc.reader
admin roles in sn_grc scopes, and the
reader, user, and manager roles in the Risk • sn_grc.user
Management application.
• sn_grc.manager
the risk admin can delete risk frameworks, • sn_grc.admin
Risk Admin
risk statements, and risks, and modify • sn_risk.reader
[sn_risk.admin] admin properties and risk criteria.
• sn_risk.user
• sn_risk.manager
and Compliance Management plugin is
activated:
• task_editor
Dashboard – Risk Overview

(GRC)
Day 3 – Advanced Risk
Speaker Name
Speaker Title
Risk Management
Risk Management ensures that risks with the potential to negatively impact IT and the Business are identified and
treated.
Key Roles Key Activities

• Audit Committee • Determine Organization’s Risk Appetite
• IT Steering Committee • Develop a Risk Management Policy
• Risk Officers • Develop Risk Assessment & Response
• All Levels of Management Procedures
• Implement Controls
• Measure!

Risk Management

Monitoring &
Reporting
Risk Identification Control Selection Control Design Control Implementation Control Testing &
& Prioritization Remediation


Risk Events
• Risk events are potential or actual financial and non-financial losses, near misses, and gains that occur
within an organization.
• Risk event can be created using either the Service Portal or your ServiceNow instance.

Risk Events Life Cycle

Report Risk Events from Service Portal
• ‘Report Risk Event’ record producer is
configured for any user to report risk
events.
• It can be accessed using Service Portal.
• Catalog – ‘Service Catalog’
• Category – ‘Governance Risk and
Compliance’

Risk Event

Risk Event - Fields
• Name • State
• Number – New
– Analyze
• Discovered by – Rejected
– Employee – Awaiting Approval
– Management Assurance – Approved
– Customer Feedback/Complaint – Closed
– Internal Audit • Substate
– External Investigation
– Clarification Requested
– Internal Investigation
– Clarification Provided
– Regulatory Review
• Opened by • Event type
– Financial Impact
• Primary entity – Non-Financial Impact
• Owning group • Sub type

– Actual
• Owner – Potential
• Description • Category
• Cost Center – Personal
– Legal
– Information Security
– Human Resources
105 – All © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
Risk Event – Dates, Loss/Gain Estimates, Event Analysis Sections

Risk Event – Credit/Market Risk, Additional Classifications, Summary
Sections

Risk Event – Activity Section

Risk Event State Flow
Awaiting
New Analyze Approved Closed Rejected
Approval

Risk Event Integration
• Integrate other ServiceNow, Inc. applications with GRC and easily report risk events from within those
applications. This integration saves time for all users.
• When risk administrators configure the risk event integration, users can report risk events directly from
any upstream applications
• The benefit of this integration is that customers can easily push these events efficiently into the risk event
database without duplication of efforts.
• This can be any table within ServiceNow, for e.g. Incident or Change can lead to a risk event and this can
be automatically injected based out of certain conditions

Risk Event Integration

Risk Event Response Template
• Risk event response template automates the process of adding approvers, issues, and owners to a risk
event based on the conditions defined in the templates.
• Users can also define the threshold amount for approvers for a risk event.
• Template can be defined for any entity and all the child entities inherit the rules defined in the risk event
response templates.

Risk Event Response Template

Advanced Risk Assessment
• With Governance, Risk, and Compliance (GRC) Advanced Risk Assessment, create an integrated risk
platform. This integrated platform supports various kinds of risk assessment methodologies and enables
customers to integrate risk assessment as a part of their overall decision-making process.
• Advanced risk assessment offers the following benefits:
– Digitizes the complete risk management life cycle including risk identification, risk analysis, risk evaluation, risk treatment, and
monitoring
– Customizes the risk assessment process as per the unique needs of an organization. This customization includes configuring the
assessment criteria, the context, and overall risk scoring logic in an easy method.
– Supports both qualitative and quantitative risk assessment methods so that you can analyze the risks efficiently.
– Aggregates the bottom-up risk assessments scores automatically across the risk.
– Enables embedding the risk assessment process in the workspace for the first line users. This embedding helps users to make
informed decisions based on the risks associated with the actions.
• Risk assessment consists of risk identification, risk analysis, and risk evaluation. Advanced risk
assessment is performed based on factors or questions and their responses. It can be performed for an
entity such as an organization.

Five key principles
• Risk identification: Find, describe, and recognize an uncertainty that might help or prevent an
organization in achieving its objectives.
• Risk analysis: Understand the cause and consequence of the risk if the risk materializes.
• Risk evaluation: Compare of the results of the risk analysis, with the established risk criteria, to
determine if additional action is required.
• Risk treatment: Define an action planto address the risk.
• Risk monitoring: Track the risk posture of the organization and communicating it to relevant
stakeholders.

Risk Assessment Factors
• Factors are aspects based on which users can analyse risks.

• Factors appear as questions on a risk assessment instance.
• Four types of factors:
– Manual
– Group
– Automated
– Automated Scripted
• Three types of factor contributions:
– Qualitative
– Quantitative
– Both

Manual Factor

Group Factors

Automated Factors

Automated Scripted Factors

Risk Assessment Methodologies
• Configure the Risk Assessment Methodology (RAM) for assessing either the risks or objects in your
organization. A RAM is configured to specify the types of risk assessments and the entities on which risk
assessment is performed. A configured RAM is an object with associated assessment types that have
associated factors.
• Some common examples:
– Operational Risk Management
– Enterprise Risk Assessment
– Application Risk Assessment
– Compliance Risk Assessment
– Risk Control Self assessment

Risk Assessment Methodologies

Assessment Types
• Inherent Assessment
• Control Effectiveness Assessment
• Residual Assessment

Inherent Assessment
• Configure the inherent assessment criteria with details such as factors, the scoring logic, and the rating
criteria. These details are the aspects on which the risk assessment is performed. This exercise ensures
that each Risk Assessment Methodology (RAM) has its own inherent assessment criteria

Control Effectiveness Assessment
• Configure and publish control effectiveness assessment to assess the effectiveness of controls to mitigate
inherent risks.

Residual Assessment
• Configure and publish residual assessment to assess the residual risks in an organization.

Risk Assessment Scope
• Create a risk assessment scope to define and identify risks for an entity, identify assessors and approvers
for assessments, and define the frequency of assessments. This process provides visibility and accurate
reporting for the management.

Advanced Risk Assessment Life cycle
Ready to Inherent Control Residual Awaiting

Respond Monitor
Assess Assessment Assessment Assessment Approval

Risk Response
• A Process by which a risk that has been determined following a formal risk assessment is dispositioned
or treated
• Can be done as part of an independent risk assessment or as part of a policy exception that may require a
risk assessment followed by a risk acceptance process
• A risk manager will have to figure out what needs to be done to address the risk. Options include:
– Mitigate
– Accept
– Avoid
– Transfer

Risk Response – In Practice
• Risk manager completes a risk assessment and needs a way to handle/treat the risk
• GRC user seeks a policy exception for which a compliance manager refers the exception request for a
formal risk assessment to be followed by a risk acceptance process if required
• The risk determined needs to be dispositioned in one of the following ways
– Mitigate the risk  Action: Deploy mitigating control(s)
– Accept the risk  Action: Business owner understands and signs off on the risk
– Avoid the risk  Action: Reject the risk and deploy measure(s) to avoid risk
– Transfer the risk  Action: Transfer risk to another party or entity

Risk Response Workflow
• A response state has been added to manage the type of response to a risk (Accept, Avoid, Mitigate,
Transfer)
• A risk response process is addressed by response tasks
Risk response task
Risk acceptance Risk owner approval

Risk response
state process
Risk avoidance
Only one response task Risk mitigation

Risk review state
is opened at a time
Risk transfer

Risk Roles
Risk Admin Risk User Risk Manager

Admin, Risk Manager and GRC user can GRC Manager and Risk
Risk user can • Be assigned to risk user can
• Delete Risk Frameworks • Create Risk Frameworks
• Delete Risk Statements • Create Risk Statements
• Delete Risk • Create Risks
• Modify admin properties
• Modify risk criteria

Risk Roles
Risk reader

• Contains the reader role in sn_grc scope. • sn_grc.reader
the risk reader has read-only access rights
to the Risk application and modules and
can be assigned risks.
Risk Reader
[sn_risk.reader]

Risk Roles
Risk user

• Contains the reader and user roles in • sn_grc.reader
sn_grc scope, and the reader role in
the Risk Management application. • sn_grc.user

the risk user can view entity types,
entities, risks, and remediation tasks. Inherits the following roles if the GRC: Policy
Risk User and Compliance Management plugin is
[sn_risk.user] • The risk user can be assigned risks and has activated:
read-only access to the Policy and • grc_compliance_reader
Compliance Management application and
modules. • grc_user
• task_editor

Risk Roles
Assessment Creator

• Contains the reader and user • sn_grc.reader
role in sn_risk scope. • sn_grc.user
• In addition to the inherited • sn_grc.manager

permissions, the assessment • sn_risk.reader
Assessment Creator creator can create, update, • sn_risk.user
[sn_risk.asmt_creator] and publish Risk
Assessments. and Compliance Management plugin is
activated:
• task_editor
135 • certification © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
Risk Roles
Risk manager

• Contains the reader, user, and manager • sn_grc.reader
roles in sn_grc scope, and the reader and
• sn_grc.user
user roles in the Risk
Management application. • sn_grc.manager
Risk Manager the risk manager can create risk
frameworks, risk statements, and risks. • sn_risk.user
[sn_risk.manager] Inherits the following roles if the GRC: Policy and
Compliance Management plugin is activated:
• task_editor
• certification
• certification_filter_admin
Risk Roles
Risk admin

• Contains the reader, user, manager, and • sn_grc.reader
admin roles in sn_grc scopes, and the
reader, user, and manager roles in the Risk • sn_grc.user
Management application.
• sn_grc.manager
the risk admin can delete risk frameworks, • sn_grc.admin
Risk Admin
risk statements, and risks, and modify • sn_risk.reader
[sn_risk.admin] admin properties and risk criteria.
• sn_risk.user
• sn_risk.manager
and Compliance Management plugin is
activated:
• task_editor
Dashboard - Overview

Dashboard – Overview by Entity

Dashboard – Overview by Risk Class

Dashboard – Advanced Risk Assessment Overview

Dashboard – Operation Risk Management

Basel Dashboard

Questions?

(GRC)
Process and Implementation Workshop
Day 4 - Audit
Speaker Name
Speaker Title
The Audit Process
Major objectives in the Audit process include:
• Ensure that the risks are properly identified and quantified.

• Ensure that controls are designed in a way that effectively reduces the identified risks.
• Ensure that controls are properly monitored for operating effectiveness.
• Ensure that control deficiencies are identified and remediated.

Gather Audit Evidence
Audit Process Issue Audit Observations
Known Control test design:

risks • Control tester(s)
New risks
• Test frequency
Modified risk scores
Test results:
• % Pass/Fail
Controls • Validate results
Control design New controls
• Frequency Control design
• Owner(s) recommendations.
Monitoring &
Reporting
Risk
Control Selection Control Design Control Implementation Control Testing &
Identification &
Remediation
Prioritization

Audit Management Architecture

Setting Up Audit Test Framework
Create Entity
Type(s)
Create Entities
Create Test
Templates
Create Test Plans

Setting Up Engagement
Change Test Templates/Plans
as needed
Create Engagement
Determine Entities to best

tested
Move Engagement to Validate
Generate Control Test

Engagement

Engagement Process
Awaiting
Scope Validate Fieldwork Follow Up Closed
Approval

Engagement
• Number • Approvers
• Name • Planned start date
• Assigned to • Planned end date
• Audit period start • Planned duration
• Audit period end • Actual start date
• Description • Actual end date
• Objectives • Actual duration
• Percent complete • Result
• State – Satisfactory
– – Adequate
Scope
– Inadequate
– Validate
– – Opinion
Fieldwork
– Awaiting Approval • Opinion
– Follow Up • Knowledge base
– Closed Complete
– Closed Incomplete
• Report Template
• Auditors • KB article
153
• Additional Comments © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.
Test Template

Test Template
• Number
• Control Objective
• Short description
• Duration
• Design expectation
• Design assessment procedures
• Operation expectations
• Operation assessment procedures

Test Plan

Test Plan
• Number
• Control
• Test Template
• Short description
• Duration
• Design expectation

Audit Task
Types:
• Control Test
• Walkthrough
• Interview
• Activity

Audit Task Process
Work In
Open Review Closed
Progress

Audit Task
• Number • Planned start date
• Parent • Planned end date
• Assigned to • Planned duration
• Short description • Actual start date
• Description • Actual end date
• State • Actual duration
– Open • Additional Comments
– Work In Progress
– Review
– Closed Complete
– Closed Skipped

Audit Task – Walkthrough

Audit Task – Walkthrough Applicable Fields
• Primary Contact
• Other Contacts
• Execution Steps
• Explanation
• Additional Information
• Results

Control Test

Control Test
• Parent • Control effectiveness
• Assigned to – None
• Control – Effective
• Test plan – Ineffective
• Short description • Issue
• State
– Open
– Work in Progress
– Review
– Closed Complete
– Closed Skipped

Control Test - Schedule
• Planned start date

• Planned end date
• Planned duration
• Actual start date
• Actual end date
• Actual duration

Control Test – Design Test
• Design effectiveness
– None
– Effective
– Ineffective
• Design expectations
• Design results

Control Test – Operational Test
• Operation effectiveness
– None
– Effective
– Ineffective
• Operation results

Audit Roles
Audit Admin Audit Manager Audit User

Admin, Audit Manager and GRC Manager and GRC user can
Audit user can Audit user can • Be assigned to audit
• Delete Engagements • Create Engagements tasks
• Delete Audit Tasks • Create Audit Tasks • Create Test Templates
• Delete Test Templates • Create Test Plans
• Delete Test Plans

Base Audit Management Reports
Control and Entity and

Control Test Engagement Audit
Engagement Engagement
• Control Test • Adequate • Controls by • Entities by • Overdue Audit
Results Engagements Engagement Engagement Tasks
• Inadequate • Engagement • Audit Task
Engagements Results Breakdown
• Satisfactory
Engagements

Audit Engagement Overview dashboard

Audit Manager dashboard

Questions?
Contact information goes here

Thank You!

Risk - GRC - Process Workshop Presentation - Paris

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk - GRC - Process Workshop Presentation - Paris

Uploaded by

Copyright:

Available Formats

Governance, Risk and Compliance

• Use out-of-the-box (OOB) Best Practice as the Baseline

2 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• <Review and confirm primary business objectives and known requirements>

3 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

•<Process Consultant Name> – Role: Facilitator/Process SME

•<Technical Consultant / Architect Name> – Role: Product Technical Leader & SME

•<Project Manager Name> – Role: Project Implementation SME and Scribe

4 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Name Experience Role Expectations

5 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

6 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

7 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

8 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

High level overview and discussion of the

Policy and Compliance Management

9 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Recap – Day 1 0.5 hr Break 1hr

High level overview and discussion of the

Risk Response and Scoring 1hr

10 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Advanced Risk Assessments

11 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Recap – Day 2 0.5hr Break 1hr

High level overview and discussion of the

Reporting and Analytics

12 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

13 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Performed by People or SYSTEMS

Business OBJECTIVES ARE MET

14 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Organizations are spending thousands of man-hours and hundreds

UCF = Unified Compliance Framework

15 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Priority End User Back Out

16 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

17 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

18 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

19 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

20 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• ServiceNow GRC enables the management and storage of policies.

21 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

22 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

23 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

24 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

25 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Policy and Compliance Policy and Compliance

Policy exception campaign has valid from

26 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

Policy and Compliance Policy and Compliance

Policy Acknowledgment Acknowledgments are created for a given

27 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

28 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

29 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

30 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

31 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• Acquisition/Sale of Assets or Services • Investigate

32 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• Acquisition or sale of facilities, technology and • Records management

33 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• Enables calculation and roll-up of compliance scores across a hierarchy of policies

34 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.

• If required, associate a control objective to multiple policies

35 © 2020 ServiceNow, Inc. All Rights Reserved. Confidential.